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Summary 

Even before the terrorist attacks of September 2001, concerns had been rising 
among security experts about the vulnerabilities to attack of computer systems and 
associated infrastructure. Yet, despite increasing attention from federal and state 
governments and international organizations, the defense against attacks on these 
systems has appeared to be generally fragmented and varying widely in effectiveness. 
Concerns have grown that what is needed is a national cybersecurity framework — 
a coordinated, coherent set of public- and private- sector efforts required to ensure an 
acceptable level of cybersecurity for the nation. 

As commonly used, cybersecurity refers to three things: measures to protect 
information technology; the information it contains, processes, and transmits, and 
associated physical and virtual elements (which together comprise cyberspace ); the 
degree of protection resulting from application of those measures; and the associated 
field of professional endeavor. Virtually any element of cyberspace can be at risk, 
and the degree of interconnection of those elements can make it difficult to determine 
the extent of the cybersecurity framework that is needed. Identifying the major 
weaknesses in U.S. cybersecurity is an area of some controversy. However, some 
components appear to be sources of potentially significant risk because either major 
vulnerabilities have been identified or substantial impacts could result from a 
successful attack. — in particular, components that play critical roles in elements of 
critical infrastructure, widely used commercial software, organizational governance, 
and the level of public knowledge and perception about cybersecurity. 

There are several options for broadly addressing weaknesses in cybersecurity . 
They include adopting standards and certification, promulgating best practices and 
guidelines, using benchmarks and checklists, use of auditing, improving training and 
education, building security into enterprise architecture, using risk management, and 
using metrics. These different approaches all have different strengths and 
weaknesses with respect to how they might contribute to the development of a 
national framework for cybersecurity. None of them are likely to be widely adopted 
in the absence of sufficient economic incentives for cybersecurity. 

Many observers believe that cyberspace has too many of the properties of a 
commons for market forces alone to provide those incentives. Also, current federal 
laws, regulations, and public -private partnerships appear to be much narrower in 
scope than the policies called for in the National Strategy to Secure Cyberspace and 
similar documents. Some recent laws do provide regulatory incentives for corporate 
management to address cybersecurity issues. Potential models for additional action 
include the response to the year-2000 computer problem and federal safety and 
environmental regulations. Congress might consider encouraging the widespread 
adoption of cybersecurity standards and best practices, procurement leveraging by the 
federal government, mandatory reporting of incidents, the use of product liability 
actions, the development of cybersecurity insurance, and strengthened federal 
cybersecurity programs in the Department of Homeland Security and elsewhere. This 
report will be updated in response to significant developments in cybersecurity. 
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Even before the terrorist attacks of September 2001, concerns had been rising 
among security experts about the vulnerabilities to attack of computer systems and 
associated infrastructure. There were several reasons for those rising concerns. First, 
computer systems were becoming increasingly powerful and increasingly 
interconnected, with many enterprises in the public and private sectors coming to rely 
on them for fundamental business functions. Second, the size and reach of the 
Internet was growing dramatically. Not only were more and more businesses and 
households in the United States using the Internet, but the same phenomenon was 
happening worldwide. Third, the number and sophistication of attacks by criminals 
and vandals was growing, and many experts thought that terrorists and other 
adversaries were preparing to launch attacks on computer systems via the Internet or 
other means. Those trends have generally continued over the last several years. 

Yet, despite increasing attention from federal and state governments and 
international organizations, the defense against attacks on these systems has appeared 
to be generally fragmented and varying widely in effectiveness. Even with the 
establishment of the Department of Homeland Security by the Homeland Security 
Act of 2002 (P.L. 107-296), with its consolidation of several cybersecurity efforts 
within the Information Assurance and Infrastructure Protection Directorate, and the 
subsequent publication of the National Strategy to Secure Cyberspace ( NSSC ), 1 
concerns grew that a more coordinated, coherent approach — what might be called 
a national cybersecurity framework 2 — was needed. What such a framework should 
consist of, whom it should apply to, and how it should be developed and 
implemented have remained uncertain. Several processes are underway that may 
contribute to the development of such a framework, ranging from some sector- 
specific activities to proposals for federal legislation. The issues associated with that 
development can be difficult to understand and address for several reasons, perhaps 
most notably because of the sheer size, complexity, and interconnectedness of the 
information infrastructure and associated technology and applications. The purpose 



1 The White House, National Strategy to Secure Cyberspace, February 2003, 
[http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf]. 

2 See, for example, F. William Connor and others, Information Security Governance: A Call 
to Action, Report of the Corporate Governance Task Force, April 2004, available at 
[http://www.cyberpartnership.org/init-governance.html]; and Chris Klaus and others, 
Recommendations Report, Report of the Technical Standards and Common Criteria Task 
Force, April 2004, available at [http://www.cyberpartnership.org/init-tech.html]. These 
reports discuss and examine frameworks within the scope of the issues each covers — 
governance and technical standards, respectively. 
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of this report is to lend structure to the debate about those issues by examining some 
fundamental concepts and questions relating to a framework. 

A national cybersecurity framework can be thought of as the essential set of 
public- and private- sector efforts required to ensure an acceptable level of 
cybersecurity for the nation. To be effective, such a framework would need to 
operate in at least four dimensions. One, perhaps the most obvious, consists of the 
elements of cybersecurity. It includes both the general approach — e.g., goals, best 
practices, benchmarks, standards — and specific areas of focus, such as technology, 
process, and people. A second dimension is the components of cyberspace — what 
would be covered by the framework. That includes both specific elements, such as 
computer operating systems and Internet servers, and the sectors which would be 
involved. A third dimension is the method of application. For example, should the 
framework be required, voluntary, or ad hoc? The fourth dimension is the functions 
and goals of the framework. Is its purpose to defend against crime, to improve the 
environment for electronic commerce, to protect critical infrastructure, or some 
combination of those? 

No consensus proposal for a cybersecurity framework has yet emerged, and 
suggestions tend to focus on different approaches and components. Some of those 
emphasize cybersecurity policies and goals, others procedures, still others 
technology. Some stress standards, others best practices or benchmarks, and still 
others focus on guidelines. This diversity of possible approaches can complicate 
examination of the issues. A further complication may arise from the lack of 
consensus meanings for terms used to denote different approaches. 

To examine what kind of framework may be needed and how it might be 
implemented, it may be helpful to address three questions: 

1. Where are the major cybersecurity weaknesses currently, and where might 
weaknesses be anticipated in the future? The term weaknesses as used here 
includes vulnerabilities and associated risks as those terms are usually 
understood, but also other factors that might negatively impact cybersecurity but 
might not usually be considered vulnerabilities or risks. For example, 
misperceptions about risks might be a weakness. A weakness is major if failure 
to address it could realistically have a significant national impact on the 
economy, public safety, or other critical services. The assessment of 
weaknesses will also determine the goals of a framework to a significant extent. 

2. What are the major means of leverage for addressing those weaknesses? 
These could include such approaches as the adoption of standards or best 
practices, improvements in software engineering, investment in training and 
education, or correction of market failures. 

3. What roles should government and the private sector play in the use of those 
means of leverage to address current and potential future weaknesses ? It might 
be, for example, that market forces are sufficient to address the concerns. 
Alternatively, incentives might be needed to promote voluntary measures, or 
regulation might be required. Among the policy options that Congress could 
consider are encouraging broader use of cybersecurity standards and best 
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practices in the private sector, using federal procurement practices to leverage 
general improvements in products and services, encouraging mandatory 
reporting of security incidents, facilitating product-liability actions in response 
to inadequate cybersecurity practices, encouraging the development of 
cybersecurity insurance, and strengthening federal cybersecurity programs. 

This report addresses each of those questions in turn. However, before doing 
so, it may be useful to discuss exactly what the term cybersecurity refers to. 



What Is Cybersecurity? 

One of the prerequisites for developing a common national framework for 
cybersecurity is a common understanding of what this and related terms mean. 
Achieving that can be difficult, for several reasons. Perhaps the major one is 
complexity. There are many components of cyberspace and many potential 
components of a framework. A variety of stakeholders will be involved with, 
exposed to, and in some cases predisposed to focus on different parts of cyberspace, 
different elements of a framework, and different approaches to security. 
Consequently, attempts to create a coordinated national framework could be 
challenging. 

Another problem is that there appears to be no generally accepted definition of 
cyber security, and several different terms are in use that have related meanings. For 
example, information security is defined in some subsections of federal copyright law 
to mean “activities carried out in order to identify and address the vulnerabilities of 
a government computer, computer system, or computer network” (17 U.S.C. 1201(e), 
1202(d)), and, in the Federal Information Security Management Act (FISMA, P.L. 
107-296, Title X, 44 U.S.C. 3532) as “protecting information and information 
systems from unauthorized access, use, disclosure, disruption, modification, or 
destruction.” 

The term information assurance (IA) is also used. One section of federal 
military law defines it to include computer and network security as well as any other 
information technology so designated by the Secretary of Defense (10 U.S.C. 
2200(e)). The National Security Agency (NSA) defines information assurance as 

Measures that protect and defend information and information systems by 
ensuring their availability, integrity, authentication, confidentiality, and non- 
repudiation. These measures include providing for restoration of information 
systems by incorporating protection, detection, and reaction capabilities. 3 



3 Committee on National Security Systems (CNSS), National Security Agency, “National 
Information Assurance (IA) Glossary,” CNSS Instruction No. 4009, May 2003, 
[http://www.nstissc.gov/Assets/pdf/4009.pdf]. p. 32. The glossary defines the 5 elements 
of I A as follows: 

Authentication: Security measure designed to establish the validity of a transmission, 
message, or originator, or a means of verifying an individual’s authorization to receive 
specific categories of information (p. 4). 
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